Package com.google.api.client.auth.openidconnect

Class IdTokenVerifier

java.lang.Object

com.google.api.client.auth.openidconnect.IdTokenVerifier

@Beta
public class IdTokenVerifier
extends Object

Beta
Thread-safe ID token verifier based on ID Token Validation.

Call verify(IdToken) to verify a ID token. This is a light-weight object, so you may use a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:

    IdTokenVerifier verifier = new IdTokenVerifier.Builder()
        .setIssuer("issuer.example.com")
        .setAudience(Arrays.asList("myClientId"))
        .build();
    ...
    if (!verifier.verify(idToken)) {...}
 

Note that verify(IdToken) only implements a subset of the verification steps, mostly just the MUST steps. Please read Since:

1.16

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	IdTokenVerifier.Builder	Beta Builder for IdTokenVerifier.

Field Summary

Fields

Modifier and Type	Field	Description
static long	DEFAULT_TIME_SKEW_SECONDS	Default value for seconds of time skew to accept when verifying time (5 minutes).

Constructor Summary

Constructors

Modifier	Constructor	Description
	IdTokenVerifier()
protected	IdTokenVerifier(IdTokenVerifier.Builder builder)

Method Summary

Modifier and Type	Method	Description
long	getAcceptableTimeSkewSeconds()	Returns the seconds of time skew to accept when verifying time.
Collection<String>	getAudience()	Returns the unmodifiable list of trusted audience client IDs or null to suppress the audience check.
com.google.api.client.util.Clock	getClock()	Returns the clock.
String	getIssuer()	Returns the first of equivalent expected issuers or null if issuer check suppressed.
Collection<String>	getIssuers()	Returns the equivalent expected issuers or null if issuer check suppressed.
boolean	verify(IdToken idToken)	Verifies that the given ID token is valid using the cached public keys.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_TIME_SKEW_SECONDS

public static final long DEFAULT_TIME_SKEW_SECONDS

Default value for seconds of time skew to accept when verifying time (5 minutes).

See Also:

Constant Field Values

Constructor Detail

IdTokenVerifier

public IdTokenVerifier()

IdTokenVerifier

protected IdTokenVerifier(IdTokenVerifier.Builder builder)

Parameters:

builder - builder

Method Detail

getClock

public final com.google.api.client.util.Clock getClock()

Returns the clock.

getAcceptableTimeSkewSeconds

public final long getAcceptableTimeSkewSeconds()

Returns the seconds of time skew to accept when verifying time.

getIssuer

public final String getIssuer()

Returns the first of equivalent expected issuers or null if issuer check suppressed.

getIssuers

public final Collection<String> getIssuers()

Returns the equivalent expected issuers or null if issuer check suppressed.

Since:

1.21.0

getAudience

public final Collection<String> getAudience()

Returns the unmodifiable list of trusted audience client IDs or null to suppress the audience check.

verify

public boolean verify(IdToken idToken)

Verifies that the given ID token is valid using the cached public keys. It verifies:

• The issuer is one of getIssuers() by calling IdToken.verifyIssuer(String).
• The audience is one of getAudience() by calling IdToken.verifyAudience(Collection).
• The current time against the issued at and expiration time, using the getClock() and allowing for a time skew specified in {#link getAcceptableTimeSkewSeconds() , by calling IdToken.verifyTime(long, long).

Overriding is allowed, but it must call the super implementation.

Parameters:

idToken - ID token

Returns:

true if verified successfully or false if failed